Admin change password flow

2025-06-05 21:59:27 +02:00 · 2024-04-10 00:01:03 +03:00
parent 31cc6e51b5
commit 189d096834
8 changed files with 159 additions and 40 deletions
--- a/src/endpoints/users-admin.js
+++ b/src/endpoints/users-admin.js
@@ -1,3 +1,4 @@
+const fsPromises = require('fs').promises;
 const storage = require('node-persist');
 const express = require('express');
 const slugify = require('slugify').default;
@@ -191,6 +192,33 @@ router.post('/create', requireAdminMiddleware, jsonParser, async (request, respo
    }
 });

+router.post('/delete', requireAdminMiddleware, jsonParser, async (request, response) => {
+    try {
+        if (!request.body.handle) {
+            console.log('Delete user failed: Missing required fields');
+            return response.status(400).json({ error: 'Missing required fields' });
+        }
+
+        if (request.body.handle === request.user.profile.handle) {
+            console.log('Delete user failed: Cannot delete yourself');
+            return response.status(400).json({ error: 'Cannot delete yourself' });
+        }
+
+        await storage.removeItem(toKey(request.body.handle));
+
+        if (request.body.purge) {
+            const directories = getUserDirectories(request.body.handle);
+            console.log('Deleting data directories for', request.body.handle);
+            await fsPromises.rm(directories.root, { recursive: true, force: true });
+        }
+
+        return response.sendStatus(204);
+    } catch (error) {
+        console.error('User delete failed:', error);
+        return response.sendStatus(500);
+    }
+});
+
 module.exports = {
    router,
 };
--- a/src/endpoints/users-private.js
+++ b/src/endpoints/users-private.js
@@ -67,15 +67,20 @@ router.post('/change-password', jsonParser, async (request, response) => {
            return response.status(403).json({ error: 'User is disabled' });
        }

-        const isAdminChange = request.user.profile.admin && request.body.handle !== request.user.profile.handle;
-        if (!isAdminChange && user.password && user.password !== getPasswordHash(request.body.oldPassword, user.salt)) {
+        if (!request.user.profile.admin && user.password && user.password !== getPasswordHash(request.body.oldPassword, user.salt)) {
            console.log('Change password failed: Incorrect password');
            return response.status(401).json({ error: 'Incorrect password' });
        }

-        const salt = getPasswordSalt();
-        user.password = getPasswordHash(request.body.newPassword, salt);
-        user.salt = salt;
+        if (request.body.newPassword) {
+            const salt = getPasswordSalt();
+            user.password = getPasswordHash(request.body.newPassword, salt);
+            user.salt = salt;
+        } else {
+            user.password = '';
+            user.salt = '';
+        }
+
        await storage.setItem(toKey(request.body.handle), user);
        return response.sendStatus(204);
    } catch (error) {